This commit un-deprecates DeprecatedString, and repurposes it as a byte
string.
As the null state has already been removed, there are no other
particularly hairy blockers in repurposing this type as a byte string
(what it _really_ is).
This commit is auto-generated:
$ xs=$(ack -l \bDeprecatedString\b\|deprecated_string AK Userland \
Meta Ports Ladybird Tests Kernel)
$ perl -pie 's/\bDeprecatedString\b/ByteString/g;
s/deprecated_string/byte_string/g' $xs
$ clang-format --style=file -i \
$(git diff --name-only | grep \.cpp\|\.h)
$ gn format $(git ls-files '*.gn' '*.gni')
Fixes apps showing redundant error messages and terminating
unnecessarily on failed file requests. It's nicer to drop the
user off at the equivalent of a default document on failure if
possible.
Also fixes TextEditor not showing response errors for missing files
in the recently opened list.
The pattern to construct `Application` was to use the `try_create`
method from the `C_OBJECT` macro. While being safe from an OOM
perspective, this method doesn't propagate errors from the constructor.
This patch make `Application` use the `C_OBJECT_ABSTRACT` and manually
define a `create` method that can bubble up errors from the
construction stage.
This commit also removes the ability to use `argc` and `argv` to
create an `Application`, only `Main`'s `Arguments` can be used.
From a user point of view, the patch renames `try_create` => `create`,
hence the huge number of modified files.
This is not guaranteed to always work correctly as ArgsParser deals in
StringViews and might have a non-properly-null-terminated string as a
value. As a bonus, using StringView (and DeprecatedString where
necessary) leads to nicer looking code too :^)
These functions return the deprecated `Core::File` class, so let's mark
it as such to avoid possible confusion between future non try_*
functions which will use Core::Stream family classes and to possibly
grab someone's attention. :^)
Rip that bandaid off!
This does the following, in one big, awkward jump:
- Replace all uses of `set_main_widget<Foo>()` with the `try` version.
- Remove `set_main_widget<Foo>()`.
- Rename the `try` version to just be `set_main_widget` because it's now
the only one.
The majority of places that call `set_main_widget<Foo>()` are inside
constructors, so this unfortunately gives us a big batch of new
`release_value_but_fixme_should_propagate_errors()` calls.
Previously TextEditor updated its window title after the window was
already visible. This causes the default title ("GUI::Window") to be
shown for a short period of time which was especially noticeable when
opening files.
This is a partial revert of commit 7af5eef. After 97d15e9, the 'proc'
promise is not needed for operations using getsid().
This also fixes launching several applications in which 7af5eef added
the 'proc' promise only in the second call to pledge().
This commit does three things atomically:
- switch over Core::Account+SystemServer+LoginServer to sid based socket
names.
- change socket names with %uid to %sid.
- add/update necessary pledges and unveils.
Userland: Switch over servers to sid based sockets
Userland: Properly pledge and unveil for sid based sockets
The `/tmp/user` directory is owned by root, this solution prevents
malicious users to interfere with other users' portals.
This commit also moves `launch`'s portal in the user directory.
Various changes are needed to support this:
- The directory is created by Core::Account on login (and located in
/tmp).
- Service's sockets are now deleted on exit (to allow re-creation)
- SystemServer needs to handle SIGTERM to correctly destroy services.
Each of these strings would previously rely on StringView's char const*
constructor overload, which would call __builtin_strlen on the string.
Since we now have operator ""sv, we can replace these with much simpler
versions. This opens the door to being able to remove
StringView(char const*).
No functional changes.
pledge_domains() that takes only one String argument was specifically
added as a shortcut for pledging a single domain. So, it makes sense to
use singular here.
This is partially a revert of commits:
10a8b6d411561b67a1ad
Rather than adding the prot_exec pledge requried to use dlopen(), we can
link directly against LibUnicodeData in applications that we know need
that library.
This might make the dlopen() dance a bit unnecessary. The same purpose
might now be fulfilled with weak symbols. That can be revisted next, but
for now, this at least removes the potential security risk of apps like
the Browser having prot_exec privileges.
Loading libunicodedata.so will require dlopen(), which in turn requires
mmap(). The 'prot_exec' pledge is needed for this.
Further, the .so itself must be unveiled for reading. The "real" path is
unveiled (libunicodedata.so.serenity) as the symlink (libunicodedata.so)
itself cannot be unveiled.
Previously we unveiled the file specified through the command-line
interface. Now, we just make the request through the
FileSystemAccessServer instead.
Applications previously had to create a GUI::Menubar object, add menus
to it, and then call GUI::Window::set_menubar().
This patch introduces GUI::Window::add_menu() which creates the menubar
automatically and adds items to it. Application code becomes slightly
simpler as a result. :^)
Making use of the new FileSystemAccessServer we are able to use
unveil without restricting our ability to open and save files.
A file argument will be unveiled automatically however all other files
require user action via the FileSystemAccessServer to gain access.
Since applications using Core::EventLoop no longer need to create a
socket in /tmp/rpc/, and also don't need to listen for incoming
connections on this socket, we can remove a whole bunch of pledges!
